At Congress in Dublin, Adrian Davis talks to Infosecurity’s Eleanor Dallaway about why there are so many middle-aged white men in suits at Congress, and whether recruiters need to stop recruiting CISSPs.
(ISC)2 is very vocal about diversity in cybersecurity, yet Congress seems to be attended by significantly less women, less ethnic minorities, and less young professionals than any other industry event. Why is that?!
I’m not sure that the Congress format encourages diversity. Sitting in a room for two days doesn’t necessarily appeal to a younger audience that want virtual, on-demand content. We need to think about how we reach out to different communities, getting the right content to the right people at the right time. It’s on our radar, and we do want to make it more attractive to different demographics. Ultimately, it’s all about our members.
Are Congress attendees a true representation of (ISC)2 membership? And if so, is (ISC)2 even less diverse than the cybersecurity industry as a whole?
I’d say we’re in line with the industry. There has been a huge gender imbalance for 20 years – and only in the last four or five have we started to see that change, but it’s a slow process, and over the next five or so years I fully expect to see us become more diverse.
In the US, the African American population of the industry has stayed consistent at 4-5% for the last five years, and in the UK, an IT study showed that a non-white IT professional would be paid less on average than an identical candidate that happened to be white. It’s absurd.
Why isn’t cybersecurity attracting more diverse candidates?
As a career and a profession, we haven’t told the right story. We portray either a 16-year-old kid in the basement, or a 50-year-old in a suit that will get sacked if it all goes wrong. The public only hears about us when things going wrong. We haven’t told the story that it’s exciting and it’s about problem-solving, so we haven’t done ourselves any favours. We’ve spent 20 years not doing it right, so it’s time to pull our finger out, so to speak.
We have to remember that what we do is only 25 years old. We’re right to be challenging ourselves about diversity, but are we actually setting unrealistic expectation?
Beyond that, we need to consider not just getting women in, but being able to retain them through the right systems and policies.
On more than one occasion at Congress, people have complained about recruiters placing too much value on certifications and letters after names. What’s your opinion on this?
Not everyone in security needs a CISSP. What happens is that many recruiters and HR departments look for short-cuts and just automatically look for a CISSP or CISSM when it isn’t necessarily a requirement of the job. Recruiters know that if they hire a CISSP, they’ll be hired on a higher salary and they then get a higher fee.
There’s also a lack of understanding about what it actually is. Recruiters will ask for a CISSP but only two years of experience, when a CISSP requires five – it doesn’t add up.
For an individual, a CISSP may not always be right. I didn’t have my CISSP until I got to (ISC)2. I didn’t think I had the experience and knowledge to get it, but looking through it, I realized I had done a lot of it, just not necessarily according to the CISSP domain. So there is a miscommunication there.
For people who haven’t been to the (ISC)2 Congress, what are they missing?
Congress is a chance to step back, think, learn and debate. Attendees can go back to their jobs with greater knowledge to apply to their jobs. This year’s Congress in Dublin is bigger than previous years, with 270 delegates – some travelling as far as from Ethiopia and Estonia. We’d like to see more non-(ISC)2 members attend Congress. Information security is not just for the experts, and we’d like these congresses to be open to all levels of expertise.
Why did (ISC)2 make the decision to move the conference geographically, and where is it going to be next year?
We decided to move it around to support and build the chapter community. It’s great to experience the different cultures and experiences, and where Congress is held determines the topics and themes, which helps bring a fresh perspective each year.
We haven’t actually decided where it will be next year yet. At the moment, while we’re building the event, we go where we have strong membership. When we get to the point where people I think ‘I have to be at Congress’, then we can look at the less well-serviced countries.
Yesterday’s panel of young people (14-16 year olds discussing cybersecurity from the youth perspective) was really well-received. What was the thinking behind including that session?
We don’t see how people really use the technology that we, as an industry, secure. So there’s a huge disconnect between the industry and the user. A risk analysis means nothing to a 13-year-old. We should bring more tech-aware teenagers into our events to teach them about our industry, but at the same time, allow them to educate us. It’s a two-way street.
So what’s new for (ISC)2 EMEA? What are your objectives over the next year?
As you’ve heard, there is a global investment in modernizing systems, which is an internal objective.
In EMEA, our objective is all about the member: driving as much value to the community as possible.
We need to make our team bigger to deliver more services, add value to our members and communicate better towards our marketplace. We’re collating and curating knowledge and making it consumable for the community.